Checking Pwned Passwords against Active Directory’s NTLM Hashes

Pwned Passwords is a great web service that lets you check your own password against millions of compromised and leaked password. It’s not only getting constantly updated by the owner, Troy Hunt but offers text-based downloadable files and API for anyone interested in building a 3rd party app.

Downloads 1 - Checking Pwned Passwords against Active Directory's NTLM Hashes

Newly added to the list is the password hashes in NTLM format, which can be used to compare to the hashes in any AD environment. That’s a wonderful news to those mostly working in a Windows environment, myself included.

Here are the steps how this can be done. I personally haven’t got chance to test it myself but sure will in the near future.

  1. Download the entire 517M NTLM passwords either as a torrent or courtesy of Cloudflare aggressively caching them.
  2. Export AD hashes either using PowerShell or the built-in ntdsutil command line.
  3. Check out the Match-ADHashes PowerShell script on GitHub or the Compromise Checker by Semrau Security.

Leave a Reply

Your email address will not be published. Required fields are marked *